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Domain Fronting 101 


Domain Fronting 101 


e Tounderstand Domain Fronting, you must first understand HTTP over TLS (aka HTTPS) 
e Server Name Indication (SNI) allows multiple sites to be hosted on the same IP 
e TLS 1.3 enables encrypted certificates and encrypted Server Name Identification (ESNI) 


e DNS over TLS or HTTPS + TLS 1.3 = domain fronting 2.0 or “domain hiding” 
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HTTP Basics 


e First, a user requests the IP of a server via DNS 
e Thisis an unencrypted packet sent to UDP port 53 


11111 


DNS 
defcon28.hackthis.computer: type A, class IN 


m = 
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HTTP Basics 


e The DNS server responds with an IP address 
e The response is also unencrypted 


(sise) 
[rosea 
WED 
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DNS 
mn A, class IN, addr 104.27.141.154 
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| etl 
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HTTP Basics 


e The user sends a GET request, using the domain in the “Host” header 
e TCP port 80 - unencrypted 


ima 
im GET / HTTP/1.1 az 


Host: defcon28.hackthis.computer [col 
5 


11111 
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HTTP Basics 


e The server responds with HTML content 


I 
DNS 


i i aE. 
Hello DEF CON 


</html> 


U 
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HTTP Basics 


e Obviously bad because nothing is encrypted 
e Both the DNS and HTTP request and response are in plaintext 


mi <html> D 
Hello DEF CON =D 


</html> 
1/11 
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e Obviously bad because nothing is encrypted 
= Both the DNS and HTTP request and response are in plaintext 
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HTTPS Basics 


e Starts off the same way, a user requests the IP of a server via DNS 
e This is an unencrypted connection on UDP port 53 


11111 


DNS 
defcon28.hackthis.computer: type A, class IN 
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HTTPS Basics 


e The DNS server responds with an IP address 
e The response is also unencrypted 


(sise) 
[rosea 
WED 
LILI 
DNS 
mn A, class IN, addr 104.27.141.154 
im 
| etl 
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HTTPS Basics 


e The user sends a ClientHello to start the TLS handshake 
e Server uses the “server_name” field (plaintext) to lookup how to respond 


server { 
listen 443; 
ae server name defcon28.hackthis.computer; 
ClientHello ssl_certificate /path/to/cert.pem; 


server_name defcon28.hackthis.computer 


sg 


server { 
listen 443; 
server name test.hackthis.computer; 
ssl certificate /path/to/test-cert.pem; 
Web Server arg 
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HTTPS Basics 


The server responds with a certificate (in plaintext unless TLS 1.3) and completes the 


handshake 
All data after the handshake is encrypted 


server { 
listen 443; 
biti I server name defcon28.hackthis.computer; 
ServerHello ssl certificate /path/to/cert.pem; 
Certificate ine eee 


server { 
listen 443; 
server name test.hackthis.computer; 
ssl certificate /path/to/test-cert.pem; 
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HTTPS Basics 


e Much better than HTTP 
e Entire DNS process and the certificate exchange process are still unencrypted 


server { 
listen 443; 
biti I server name defcon28.hackthis.computer; 
ServerHello ssl certificate /path/to/cert.pem; 
Certificate ine eee 


server { 
listen 443; 
server name test.hackthis.computer; 
ssl certificate /path/to/test-cert.pem; 
Web Server arg 
104.27.141.154 } 
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e Much better than HTTP #0 a 
e Entire DNS process and the certificate exchange process are still unencrypted 
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Domain Fronting 


Uses a hosting service to host the true destination - false destination must be on the same 
O 
o Microsoft Azure CDN 
O 


Circumvent censorship by obfuscating the domain of an HTTPS connection 
service 
o Google App Engine A 
FO App Engine 
Others 
Akamai 
amai S 
amazon 


Connect to an approved server, but send an HTTP request for the actual destination 
Amazon S3/CloudFront 
cloudfront 
Fá u re @sixcen 


Domain Fronting 


e DNS lookup as before for any site hosted by the hosting service 
e Client and Server handshake as usual 


ClientHello > 
i ll server_name metacdn.com E ss) 
VIZI /11// 
Google App Engine hackthis. computer hosted 


on Google App Engine 
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Domain Fronting 


e Client and Server handshake as usual 


(se (ea, 
< ServerHello 
Certificate for metacdn.com a) (x) 
/111/ /111/ 
Google App Engine hackthis. computer hosted 


on Google App Engine 
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Domain Fronting 


e Client sends an HTTP request with the Host header set to the actual destination 
e The CDN forwards the request as long as the destination is hosted by the service 
o Any site on GAE could be used to front for an otherwise censored GAE server 


O GET/HTTP/IMI O HTTP/1.1 
Host: hackthis. — Host: hackihis.computer > 
> 172 172 


connection Google App Engine hackthis.computer hosted 
on Google App Engine 
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Domain Fronting 


e Like a letter delivered to a house with multiple residents 
e The mailman can see the address on the outside 
e Letter on the inside goes to the correct person 
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Domain Fronting 
April 2018 - The music stops 


e Google 
o “Domain fronting has never been a supported feature at Google”! 
e Amazon 


o Implemented “Enhanced Domain Protections” 
o “no customer ever wants to find that someone else is masquerading as their 
innocent, ordinary domain”? 
o Think of the innocent ehiien ordinary domains! 
e Cloudflare 
o Only HTTP works 
e Azure 
o Still works... For now 


[1] A Google update just created a big problem for anti-censorship tools © SIXGEN 
[2] Enhanced Domain Protections for Amazon CloudFront Requests 


Domain Fronting - Issues 


e Major providers shut it down 
e Limited fronting options 

o Only sites hosted on the same provider can be used to front 
e Must host an “app” or have an account with the provider 


o Notfree 
m Bandwidth 
= CPU time 


o Complex sign up requirements 
m Identity checks 
m Phone required 
m Credit card required 
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TLS 1.3 + ESNI for 
“Domain Hiding” 


The Growth of TLS 1.3 


Qualys SSL Labs - Protocol Support of Alexa Top Sites 


100.00% 


== SSL v2.0 
= SSL v3.0 
= TLS v1.0 
= TLS v1.1 


75.00% 


= TLS v1.2 
= TLS v1.3 


50.00% 


31.7% a 


25.00% 


0.00% 
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The Growth of TLS 1.3 


TLS Versions as seen by CloudFlare 
= Other == TLS 1.0 = TLS 1.1 mm TLS 1.2 = TLS 1.3 
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DNS - Fixing the Problem 


What if you wrap a DNS request in TLS? 
How about HTTPS? (RFC 8484) 


e "The unmitigated usage of encrypted DNS, particularly DNS over HTTPS, could allow attackers 


and insiders to bypass organizational controls." - SANS 
o Great! 


TLS or HTTPS 


encrypted pa, 
DNS 


defcon28.hackthis.computer: type A, class IN 


| ea 


I 


Web Server 
[3] A New Needle and Haystack: Detecting DNS over HTTPS Usage 1042141194 
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TLS 1.3 and ESNI 


e Nowthat DNS is encrypted, it can be used to fetch a public key before an HTTPS connection is started 
e Classic Diffie-Hellman key exchange to symmetrically encrypt the server_name 
o Alldata required is sent in a single Client Hello (the client’s public key + extras) 


Type: encrypted_server_name (65486) 
Length: 366 
Cipher Suite: TLS_AES_128 GCM_SHA256 (0x1301) 
Key Share Entry: Group: x25519, Key Exchange length: 32 
Group: x25519 (29) 
Key Exchange Length: 32 


Key Exchange: 5b2d544c36ec87fac02496c088348b0d90ffeadbdd24f588... 
Record Digest Length: 32 
Record Digest: 4afd6c77c6962f114c5ecf5d20652ce1c499e43ffe0957a7.. 
Encrypted SNI Length: 292 
Encrypted SNI: 2f3ad680edlb4cf89f60adc31d020c0e34e83933ca015550... 


SIX 


TLS 1.3 and ESNI - Step by Step 


e Client requests the IP address and ESNI public key via DNS over TLS or HTTPS 


TLS or HTTPS 
encrypted connection 


DNS 
_esni.defcon28.hackthis.computer: type TXT, class IN 


nm = 
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TLS 1.3 and ESNI - Step by Step 


DNS server returns the IP address and ESNI public key via DNS over TLS or HTTPS 


(J 
Cloudflare rotates their key every ~1 hour (with a few hours of buffer allowed by the servers) 


TLS or HTTPS 
encrypted connection 


DNS 


_esni.defcon28.hackthis.computer: type TXT, class IN, 
IWGPWZVeACQAHQA gi... 


ma 


II111 
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TLS 1.3 and ESNI - Step by Step 


e Client sends a TLS 1.3 ClientHello with an encrypted_server_name extension 


server { 
listen 443; 
_— server name defcon28.hackthis.computer; 
ClientHello ssl certificate /path/to/cert.pem; 


encrypted_server name 2f3ad680ed1b4cf89f... [col 
} 


server { 
listen 443; 
server name test.hackthis.computer; 
ssl certificate /path/to/test-cert.pem; 
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TLS 1.3 and ESNI - Step by Step 


e Webserver responds with a ServerHello that includes the encrypted certificate 


server { 
listen 443; 
le server name defcon28.hackthis.computer; 
ServerHello ssl certificate /path/to/cert.pem; 


Certificate (encrypted) 


server { 
listen 443; 
server name test.hackthis.computer; 
ssl certificate /path/to/test-cert.pem; 
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TLS 1.3 and ESNI - Weak Spots 


e DNSresponse for IP or _esni could be tampered with (poisoned resolver cache) 
DNSSEC!‘ 


TLS or HTTPS 
encrypted connection 


_esni.defcop86"hackthis.computer: tyvP@IXT, class IN, 
/wGPWzVeACQAHQAGi... 


Web Server SD alae 


[4] How DNSSEC Works 104.27.141.154 


TLS 1.3 and ESNI - Weak Spots 


e DNSover TLS or HTTPS is completely blocked 
e Preload ESNI keys to bootstrap the connection 


defcon28.hackthis.computer: type A, class IN 


Qa 
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TLS 1.3 and ESNI - Weak Spots 


e The TLS connection goes to an IP address 

e AnIPmay be shared by many domains, but may not 

e Isthere a generally applicable way to route to any domain via any other? 
o No, but how close can we get? 


server { 


listen 443; 
_— server name defcon28.hackthis.computer; 
ClientHello ssl certificate /path/to/cert.pem; 
encrypted_server_name te ; ai 


server { 
listen 443; 
server name test.hackthis.computer; 
ssl certificate /path/to/test-cert.pem; 


Web Server 
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Domain Hiding and DNS - Issues 


Issue 
DNS is unencrypted 
DNS is untrustworthy 
Encrypted DNS is blocked 
SNI is unencrypted 


IPs (or IPs that domains resolve to) are blocked 


Solution 
DNS over TLS or HTTPS 
DNSSEC 
Bootstrap ESNI keys 
ESNI 


Domain hiding with the largest CDN! 
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Demos 


Cloudflare 


Founded in 2009 

Content Delivery Network (CDN) 

o Highest number of internet exchange points of any network 

o Largest CDN in the world 

o Supports TLS 1.3, ESNI, Websockets, and QUIC 
e Authoritative DNS 


© Over 26,000,000 domains j- ` 
o Supports DNSSEC 
CLOUDFLARE 
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Domain Hiding with Cloudflare 


e A TLS 1.3 connection with ESNI is sent to ANY Cloudflare server 


e AHTTPrequest is sent using that connection can have any Host header 

o True domain must have DNS provided by Cloudflare 
e Cloudflare will forward the request to the true destination - just like domain fronting! 
e Robin Wood (@digininja) was the first to show this was possible 


TLS 1.3 [| eel 
GET/ HTTP/1.1 a. 
Host: hackthis. computer > CLOUDFLARE > ss] 


Any Cloudflare IP RZ 
ENSI: hackthis.computer /1111 


SNI: can-be-anything.com hackthis. computer hosted 
on DigitalOcean 
As of 2020-08-10 ESNI and SNI cannot be used together ~ 


Noctilucent 


e Go (Golang) rewrite of crypto/tls based on Cloudflare’s tls-tris project 
TLS 1.3 support 
o Config options specific for domain hiding 
m ESNIServerName - does not need to match the SNI extension or Host header 
m PreserveSNI - Allows the sending of a ClientHello with both SNI and ESNI 
extensions 
e Dropin replacement for standard crypto/tls - backwards compatible 
e Test client application 
o Attempts DNS over HTTPS (DoH) - Falls back to DNS over TLS, then system default 
DNS 
o Allows command line tuning of nearly every part of the TLS and HTTP connection 
HTTPS and Websocket support 
Cross platform! S SIXGEN 


Normal HTTPS Connection 


Normal HTTPS Connection 


.../esni/client $ ./client-macOS 


[=] TLS 1.3 with TLS_CHACHA20_POLY1305_SHA256 


[+] Connecting to 
[+] TLS handshake complete 
[+] Sending GET request: GET / HTTP/1.1 


User-Agent: ESNI_FRONT_TEST 
Accept: x/x 
Connection: close 


[+] GET request sent 

[=] Reponse: 

HTTP/1.1 301 Moved Permanently 

Date: Tue, 24 Mar 2020 00:23:42 GMT 

Transfer-Encoding: chunked 

Connection: close 

Cache-Control: max-age=3600 

Expires: Tue, 24 Mar 2020 01:23:42 GMT 

Location: https: //www.cloudflare.com/ 

Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" 
Set-Cookie: __cf_bm=166e3a90f25654e23ea8574aef6e0cac3fc530e4-1585009422-1800- 
AQQvEoF8e21eEE7TrueGnj4E3ae0Fv38ZtFA2iBp3Dx18Vv+5qaljvAEDCy5kqcTMj0VSs2fgaVUrSDCQjZv+nU=; path=/; 
expires=Tue, 24-Mar-20 00:53:42 GMT; domain=.cloudflare.com; HttpOnly; Secure; SameSite=None 
Strict-Transport-Security: max-age=15780000; includeSubDomains 

Server: cloudflare 

CF-RAY: 578c3eb81d10740d-IAD 

alt-svc: h3-27=":443"; ma=86400, h3-25=":443"; ma=86400, h3-24=":443"; ma=86400, h3-23=":443"; ma=86400 


(0) 
[=] TLS 1.3 => Read 819 bytes 


TLS 1.3 + ESNI HTTPS Connection 


TLS1.3 + ESNI HTTPS Connection 


.../esni/client $ ./client-macOS 


[+] Using resolver: https://doh-2.seby.io/dns-query 


TLS 1.3 with TLS_CHACHA20_POLY1305_SHA256 


[+] Connecting to 
[+] TLS handshake complete 
[+] Sending GET request: GET / HTTP/1.1 


User-Agent: ESNI_FRONT_TEST 
Accept: *x/x 
Connection: close 


[+] GET request sent 

[=] Reponse: 

HTTP/1.1 301 Moved Permanently 

Date: Tue, 24 Mar 2020 23:41:52 GMT 

Transfer-Encoding: chunked 

Connection: close 

Cache-Control: max-age=3600 

Expires: Wed, 25 Mar 2020 00:41:52 GMT 

Location: https://ww.cloudflare.com/ 

Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" 
Set-Cookie: __cf_bm=47e9c445d7f4ffdeec643bbe8bb7e0e65ed24bfd-1585093312-1800- 
AezT9reipfUk2D9ZS6D254M17fC/Lo/sVCpGQE3nDmLqByRKS9kuJ23NAXIw31FaASrle2MNV50UNuRL80VLQ84=; path=/; 
expires=Wed, 25-Mar-20 00:11:52 GMT; domain=.cloudflare.com; HttpOnly; Secure; SameSite=None 
Strict-Transport-Security: max-age=15780000; includeSubDomains 

Server: cloudflare 

CF-RAY: 57943ed30b4f747e-IAD 

alt-svc: h3-27=":443": ma=86400, h3-25=":443"; ma=86400, h3-24=":443"; ma=86400, h3-23=":443": ma=86400 


0 
[=] TLS 1.3 => Read 819 bytes 


Hidden Request (no SNI) 


(EEJ TLS1.3 + ESNI HTTPS Connection 


.../esni/client $ ./client-mac0S 11 cloudflare. com -esni -ESNIServerName defcon28.hackthis.computer 
-HostHeader defcon28.hackthis.computer 

[+] Using resolver: https://dns.rubyfish.cn/dns-query 

[+] Successfully queried _ensi TXT record for host: cloudflare.com 
[=] TLS 1.3 with TLS_CHACHA20_POLY1305_SHA256 

[=] ENSI host set to: defcon28.hackthis.computer 

[=] SNI host has been unset 

[+] Connecting to https://cloudflare.com:443 

[+] TLS handshake complete 

[+] Sending GET request: GET / HTTP/1.1 

Host: defcon28.hackthis.computer 

User-Agent: ESNI_FRONT_TEST 

Accept: */% 

Connection: close 


[+] GET request sent 

[=] Reponse: 

HTTP/1.1 200 OK 

Date: Tue, 24 Mar 2020 23:47:47 GMT 

Content-Type: text/plain; charset=utf-8 

Content-Length: 14 

Connection: close 

Set-Cookie: __cfduid=d4f30bc8fdaaaa9f40faea6ad776822a71585093667; expires=Thu, 23-Apr-20 23:47:47 GMT; 
path=/; domain=.hackthis.computer; HttpOnly; SameSite=Lax 

CF-Cache-Status: DYNAMIC 

Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" 
Server: cloudflare 

CF-RAY: 5794477ebfd7745d-IAD 


Hello DEF CON! 
[=] TLS 1.3 => Read 488 bytes 


Fronted Request (with SNI) 


(EE) TLS1.3 + ESNI HTTPS Connection 


.../esni/client $ ./client-mac0S | oo} cloudflare. com -esni -ESNIServerName defcon28.hackthis.computer 
-HostHeader defcon28.hackthis.computer -serverName cloudflare.com -preserveSNI 

[+] Using resolver: https://dns.rubyfish.cn/dns-query 

[+] Successfully queried _ensi TXT record for host: cloudflare.com 

[=] TLS 1.3 with TLS_CHACHA20_POLY1305_SHA256 

[=] ENSI host set to: defcon28.hackthis.computer 

[=] SNI host set to: cloudflare.com 

[+] Connecting to https://cloudflare.com:443 

[+] TLS handshake complete 

[+] Sending GET request: GET / HTTP/1.1 

Host: defcon28.hackthis.computer 

ta ESM INN WEST As of 2020-08-10 this no longer works due to 
Connection: close a change at Cloudflare 


[+] GET request sent 

[=] Reponse: 

HTTP/1.1 200 OK 

Date: Tue, 24 Mar 2020 23:53:26 GMT 

Content-Type: text/plain; charset=utf-8 

Content-Length: 14 

Connection: close 

Set-Cookie: __cfduid=db2a920903e1a64ddd9a144770c84265d1585094006; expires=Thu, 23-Apr-20 23:53:26 GMT; 
path=/; domain=.hackthis.computer; HttpOnly; SameSite=Lax 

CF-Cache-Status: DYNAMIC 

Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" 
Server: cloudflare 

CF-RAY: 57944fc418b4ceec-IAD 


Hello DEF CON! 
[=] TLS 1.3 => Read 488 bytes 


So what? 


e Anydomain protected by Cloudflare is able to arbitrarily front to any IP 
o Target IP can be hosted anywhere 
o DNS must be run via Cloudflare 
e Cloudflare Managed DNS is free 
e Signup requirements? 
o Email (disposable is ok) 
o Password 
o That's it! 
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What Can You Hide With? 


e Source: Alexa top 100,000 domains 


HTTPS GET request looking for cloudflare cookies, Expect-CT header, or Server 


e Results: 


o Atleast 21% of the top 100,000 domains are available to front (21,298) 


o Afewexamples: 

m myshopify.com 
medium.com 
discordapp.com (on the PA whitelist)” 
udemy.com 
zendesk.com 
coinbase.com (on the PA whitelist)? 
hdfcbank.com 
mozilla.org (on the PA whitelist)? 
teamviewer.com 


[5] List of Domains and Applications Excluded from SSL Decryption 


blackboard.com 
okta.com 
bitdefender.com 
ny.gov 

mlb.com 
stanford.edu 
plex.tv 
coronavirus.gov.hk 


So much porn... 
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Just doing some Single Sign On... 


Fronting via www.okta.com 


.../esni/client $ ./client-macOS 


-serverName www.okta.com -preserveSNI 
Using resolver: https://dns.rubyfish.cn/dns-query 


TLS 1.3 with TLS_CHACHA20_POLY1305_SHA256 


[=] SNI host set to: www.okta.com 

[+] Connecting to 

[+] TLS handshake complete 

[+] Sending GET request: GET / HTTP/1.1 


User-Agent: ESNI_FRONT_TEST 
Accept: x/x 
Connection: close 


[+] GET request sent 

[=] Reponse: 

HTTP/1.1 200 OK 

Date: Wed, 25 Mar 2020 00:51:16 GMT 

Content-Type: text/plain; charset=utf-8 

Content-Length: 14 

Connection: close 

Set-Cookie: __cfduid=d8f3c3cba363e375baa558d574687b5891585097476; expires=Fri, 24-Apr-20 00:51:16 GMT; 
path=/; domain=.hackthis.computer; HttpOnly; SameSite=Lax 

CF-Cache-Status: DYNAMIC 

Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" 
Server: cloudflare 

CF-RAY: 5794a47a8a5bcedc-IAD 


Hello DEF CON! 
[=] TLS 1.3 => Read 488 bytes 


SNI Based Web Filters 


e Many products only look at SNI 

o ESNI completely ignored 
e By preserving the SNI along with ESNI, filters and analytics can be tricked 
e Example: Untangle 

o Installed with strict web filter settings 


Install Type 


Choose Type: 
SEE A i} Config teports [=] Sessions Ho 
azz Apps ong eports — SESSIONS did Federal Government M 


untangle 


© Back to Apps (Default Policy) & Web Filter © 


Status Categories Search Terms Site Lookup Block Sites Pass Sites Pass 
Block or flag access to sites associated with the specified category. 


© Add 
Site Block Flag Description IG SIXGEN 
‘defcon28.hackthis. computer W] W] ” defcon28.hackthis. computer 


Fooling SNI based Firewalls 


Bypass Untangle 


.../esni/client $ ./client-macOS 


-serverName bypass-untangle.com -preserveSNI 
[+] Using resolver: https://dns.dns-over-https.com/dns-query 


TLS 1.3 with TLS_CHACHA20_POLY1305_SHA256 


[=] SNI host set to: bypass-untangle.com 
[+] Connecting to 

[+] TLS handshake complete 

[+] Sending GET request: GET / HTTP/1.1 


User-Agent: ESNI_FRONT_TEST 
Accept: x/x 
Connection: close 


[+] GET request sent 

[=] Reponse: 

HTTP/1.1 200 OK 

Date: Wed, 25 Mar 2020 17:57:52 GMT 

Content-Type: text/plain; charset=utf-8 

Content-Length: 14 

Connection: close 

Set-Cookie: __cfduid=d36de3ddd5f10701036dc5cf8b78df9e61585159072; expires=Fri, 24-Apr-20 17:57:52 GMT; 
path=/; domain=.hackthis.computer; HttpOnly; SameSite=Lax 

CF-Cache-Status: DYNAMIC 

Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" 
Server: cloudflare 

CF-RAY: 579a844d9e41cf68-IAD 


Hello DEF CON! 
[=] TLS 1.3 => Read 488 bytes 


Fooling SNI based Firewalls 


Top Domains (by request) Z Refresh O Auto (5 sec) Z Data View | FA Download (Image) | © Add to Dashboard || @& Settings 


The number of web requests grouped by domain. 


Domain [domain] | value 
ubuntu.com 100 
Domain firefox.com 91 
[domain] by hits nextdns.io 68 
© ubuntu.com cloudflare-dns.com 63 
sn _ s 
© cloudflare-dns.com blahdns.com 46 
© Der" mozilla net 42 
o ag pki.goog Se 
© pki.goog bypass-untangle.com 31 
ra a google.com 28 
Others mozilla.com 27 
securedns.eu 26 


HTTPS Decrypting Firewalls 

e Seen in enterprise environments 
o Install a root certificate on endpoints 
o Break and re-encrypt traffic that passes through 
o Corporate Man-in-the-Middle 

e Allows analysis of full packet data! 

e Kazakhstan attempted this nation-wide in July 2019° 

e Does TLS 1.3/ESNI offer a way around these firewalls? 


© SIXGEN 
[6] Kazakhstan government is now intercepting all HTTPS traffic 


HTTPS Decrypting Firewalls 
e Palo Alto PA-VM 10.0.0 Simplified Decryption 


= 7 Deploy and maintain TLS decryption with ease. Now with support 
9 Released 2020 06 17 for TLS 1.3 and up to 2X performance boost. 


o Major new feature: TLS 1.3 decryption 
o Default decryption profile does not include TLS 1.3! 


m Allows TLS 1.3 to pass with an error 


TLS1.3 Client and decrypt profile version mismatch. Supported client 
version bitmask: 0x40. Supported decrypt profile version 
bitmask: 0x38. 


TLS13 Client and decrypt profile version mismatch. Supported client 
version bitmask: 0x40. Supported decrypt profile version 
bitmask: 0x38. 


TLS1.3 Client and decrypt profile version mismatch. Supported client IG SIXGEN 
version bitmask: 0x40. Supported decrypt profile version 
bitmask: 0x38. 


[Palo Alto bypass via Mozilla fronting] 
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What Else? 


e Many connections to a fronted site may be suspicious 
o What protocols can we use? 
m HTTP 
m Websockets 
m Arbitrary TCP/UDP via a helper 


© SIXGEN 


Fronting Streaming data with Websockets 


ee Fronting Streaming data with Websockets 


.../esni/client $ ./client-mac0S -esni -ESNIServerName defcon28.hackthis.computer 
-serverName www.okta.com -preserveSNI -useWebsocket -URL /websocket 

[+] Using resolver: https://dns.rubyfish.cn/dns-query 

[+] Successfully queried _ensi TXT record for host: www.okta.com 


[=] TLS 1.3 with TLS_CHACHA20_POLY1305_SHA256 
ENSI host set to: defcon28.hackthis.computer 
SNI host set to: www.okta.com 
Connecting to 
TLS handshake complete 
We elat Ce lo Hellc NE 


À SIXC 


[Cloak Demo] 
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[Cloak+CobaltStrike Demo] 
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[DeimosC2 Demol 
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What is Blue to Do? 


What is Blue to Do? 


e Disable TLS 1.3 (25-50% of traffic) 
e Block Cloudflare (26 million domains)? 
e Block ClientHellos with an encrypted_server_name extension? 
o Technically possible 
o Netsweeper >=6.4.1 (2020-02-25) can block all ESNI traffic 
m Cannot categorize sites 
m Allor none 
o No other vendors currently support ESNI blocking as of today 
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What is Blue to Do? 


e Flag on ClientHello packets with both “server_name” and/or “encrypted_server_name’ 
o Snort 
m Possible with custom rules? 
m ss! state:client hello 
m tis.version can narrow down to 1.3 
m SNI extension type is0x0000 
m ESNI extension type is 0xffce 
o  Securicata 
m Snort with extra features 
m hastls.snibutnotls.esni 
o Zeek 
= The third field of JA3 is TLS extensions 
a Alert onany traffic with 65468 (Oxf fce) SE 


J 


What is Blue to Do? 


e “Good old fashioned police work” 
o Beaconing detection and anomaly network analytics 
m RITA or Beaker (or fancy Al/ML) 
m How much should a user interact with a site? How often? How much data? 
o JA3 and JA3S mismatches 
m Should svchost.exe have a JAS fingerprint of Go? 
m Cloak and utls are working to defeat this 
o Wellinstrumented EDR, application whitelisting, etc 
= Don't get pwned in the first place! 
m “Server administrators should never allow untrusted code to run on the server” 
-Microsoft 
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Domain Hiding - Noctilucent - The Future 


Latest advancement in censorship resistant communication 
e Useable today 
o Go -dropin replacement 
o Cloak fork - use with anything that can be proxied (CobaltStrike, etc) 
Will be harder to block as TLS 1.3 and ESNI adoption grows 
ESNI REC is in flux (last updated 2020-06-01) - might break tomorrow 
o Actually called ECH as of May 2020 
e Currently relies on a single (massive) CDN 
o Cloudflare please don't break this 
m 2020-08-10: They broke it! ClientHellos with both ESNI and SNI are 


rejected 
m ESNI to any Cloudflare IP still works 
m China now blocks any traffic with an ESNI at the great firewall Qaxcen 


e Blue Team: Your move! 


Special Thanks 


e Robin Wood (@digininja) - freelance pen-tester, researcher and developer 
e Andy Wang (cbeuw) - developer of Cloak 
e Nick Sullivan (@grittygrease) - Head of Research and Cryptography at Cloudflare 
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